We have a custom (legacy) server side LoginModule that needs to be able to flush the credential cache for a user on a login failure. We have this requirement because this came up in a security review. We achieve this by looking up the JMX bean for the security domain under the security bean and calling the fushCache method (see attachment).

We are using the "rbac" access-control, not "simple". This has been working fine up until WildFly 12. Starting with WildFly 12 we need to give the the "anonymous" user the "Auditor" role (see also https://issues.jboss.org/browse/JBEAP-13845), otherwise the security domain JMX beans are not visible to the application. It seems as if the security domain JMX beans are now considered a sensitive resource. Unfortunately the "Auditor" role also has permissions to modify resources of administrative audit logging system (Role Based Access Control in WildFly 8 (Tech Tip #12) ). We would prefer to use a role that has only view and no modify permissions.

In jira you mentioned (JBEAP-13845), there is in workaround section written Monitor role should be enough. Could you have a try?

The Monitor role is not enough, if I assign the Monitor role the mbeans for the security domains ("jaspitest", "jboss-ejb-policy", "jboss-web-policy", "other") under the "security" mbean will not be visible.